Hedge Funds Raise the Urgency Level on Cyber Security

Hedge funds are bracing for SEC exams on cyber security preparedness in 2014, but do they need a chief information security officer?

Hedge funds are paying more attention to cyber security as a result of recent guidance from the Securities and Exchange Commission.

An April risk alert has raised the urgency level for alternative funds registered with the US regulatory body to assess information security and test for any vulnerabilities. The SEC's Office of Compliance Inspections and Examinations (OCIE) notified hedge funds and more than 50 registered broker dealers and investment advisers that the agency's 2014 examinations would focus on cyber security preparedness. The OCIE has given the funds a questionnaire to fill out.

Yigal Behar, head of business development at 2Secure, which provides computer network and Internet vulnerability assessments from its offices in the Wall Street area, said it is seeing growing demand among small and midsized hedge funds to meet their information security needs.

"It's a war going on outside, especially when you see breaches on a daily basis," Behar said. "Often companies don't see that they were breached until only months or years [after] they were breached."

From a personnel standpoint, the SEC is asking firms to indicate if they have a chief information security officer (CISO) or equivalent position and to identify that person and title. Firms that don't have such a position are being asked, "Where does principal responsibility for overseeing cybersecurity reside within the firm?"

Hiring a CISO can be expensiveSome hedge funds have chief technology officers, but the CTO function is not focused on security. "People think that, if they have a CTO function, that would be sufficient," Behar said. "But the CTO would be a person whose function is to use existing and future technologies to improve their business."

Hedge funds won't be able to escape the need for a CISO, but many small funds cannot afford to hire a full-time CISO. To address this need, 2Secure has developed HF-CISO On-Demand, a service designed to help small firms with the growing threats landscape while achieving regulatory compliance. "They will need a solution so that the cost and investment will be reasonable for them because of their size, and also that is compliant with regulatory requirements and that keeps them secure, because all of a sudden clients will ask them, 'What do you do for security?'"

In turn, funds will ask their website designer what it has done to ensure security. And clients with security awareness will say to their hedge funds, "I am giving you my precious information. How do you make sure it's safe?," Behar said. "It's pressure from different directions, directly and indirectly."

The financial industry is increasingly viewed as a target of cyberattacks. Yesterday, news outlets reported that computer hackers stole gigabytes of data from JPMorgan Chase and four other banks over the past month. But it's the SEC alert that has convinced firms they can no longer neglect security. Behar spoke with a hedge fund from Connecticut months before the alert came out. The fund said it could meet with him in June or July. When he followed up in June, after the hedge fund saw the alert, it wanted to meet the next week.

Hedge funds that lack a CISO are starting to consider alternatives that can cover this function. For instance, 2Secure offers various services, including penetration testing, risk assessment, policy and incident preparedness, incident response, and recovery planning. Those services are geared specifically to information security that an organization needs to "stay alive if something happens." The firm will package up different services, depending on each fund's needs.

Most funds will implement security to comply with regulations, but Behar said testing once a year is not enough. Firms need to see if they have been penetrated, and they need to patch holes in their software that leave them vulnerable to hackers. For example, funds may change or update systems, which then require testing. Systems can become outdated, and many firms neglect patch management, he said, even though manufacturers like Microsoft issue patches all the time. "You need to have some tools that do automatic scanning to detect the low-hanging fruit, and then you need the human to interact with those systems and do some more testing." Firms cannot deploy patches without testing, because it can cause instability.

Ivy is Editor-at-Large for Advanced Trading and Wall Street & Technology. Ivy is responsible for writing in-depth feature articles, daily blogs and news articles with a focus on automated trading in the capital markets. As an industry expert, Ivy has reported on a myriad ... View Full Bio